Introduction and scope

ISO/IEC 27000 “provides an overview of information security management systems” (and hence the ISO27k standards), and “defines related terms” (i.e. a glossary that formally and explicitly defines many of the specialist terms as they are used in the ISO27k standards).

ISMS/ISO27k vocabulary section

The vocabulary or glossary of carefully-worded formal definitions covers most of the specialist information security-related terms used in the ISO27k standards. Information security, like most technical subjects, uses a complex web of terminology that is continually evolving. Several core terms in information security (such as “risk”) have different meanings or interpretations according to the context, the author’s intention and the reader’s preconceptions. Few authors take the trouble to define precisely what they mean but such ambiguity is distinctly unhelpful in the standards arena as it leads to confusion. Apart from anything else, it would be awkward to assess and certify compliance with ISO/IEC 27001 if the specialist terms meant different things to the assessors and the assessed!

The vocabulary in ISO/IEC 27000 is gradually spreading throughout the global information security profession although some individuals and groups differ, sometimes with good reason, creating occasional misunderstandings, clashes, and conceptual chasms. Even if you happen to disagree with the definitions here, it’s well worth getting familiar with them as some of your professional contacts will implicitly accept the ISO/IEC versions.

ISO/IEC 27000 largely supersedes ISO/IEC Guide 2:1996 “Standardization and related activities – General vocabulary”, ISO Guide 73:2009 “Risk management – Vocabulary – Guidelines for use in standards”, and ISO/IEC 2382-8: “Information technology - Vocabulary Part 8: Security”. It also includes definitions taken from a few non-ISO27k ISO standards. Terms that are reproduced unchanged from other ISO standards such as ISO 9000 are not always entirely appropriate as such in the information security context. They are not necessarily used in the ISO27k standards in full accordance with the original definitions or intended meanings. However, as the definitions are gradually updated or superseded, the lexicon is evolving into a reasonably coherent and consistent state across the whole ISO27k suite - a remarkable achievement in its own right given the practical difficulties of coordinating the effort across a loose collection of separate committees, editing projects, editors and managers, developing the language and the concepts as we go.

ISMS/ISO27k overview section

The overview of Information Security Management Systems (ISMSs) introduces information security, risk and security management, and management systems. It is a reasonably clear if rather wordy description of the ISO27k approach and standards, from the perspective of the committee that wrote them. There’s only one diagram, unfortunately, and all that does is group similar types of ISO27k standards together, but, hey, that leaves room for sites such as this one!

Status of the standard

ISO/IEC 27000, first published in 2009 was updated in 2012, 2014 and 2016. The 2016 fourth edition is available as a legitimate FREE download in both English et Francaise.

A minor revision to ISO/IEC 27000:2016 should be published next, possibly this year but more likely in 2018. It may include a section on abbreviations. Proposed new terms and modified definitions may include: disaster recovery, owner, risk source and traceability. The definition of policy may be dropped since the Oxford English Dictionary definition is adequate (better in fact!), while asset may yet make a triumphant reappearance, perhaps being defined in terms of primary assets (such as information) and supporting assets (such as IT systems) as if that helps ...

Personal comments

I wish the committee would replace “information security risk” throughout ISO27k with the simpler and more appropriate term “information risk”. “Information security risk” is not formally defined as a complete phrase and doesn’t even make sense: it is presumably trying to indicate that we are talking about risk in the context of information security, but it could be interpreted as “risk to information security” which I guess would including things such as failing to identify novel risks, and lack of management support for the function: those are risks, but they are not the focus of ISO27k. “Information risk”, in contrast, is self-evident but, if the committee feels the desperate need for an explicit definition, I suggest something as simple as “risk relating to or involving information” or even “risk pertaining to information”, where both risk and information are adequately defined in dictionaries (whereas the ISO27k definition of risk is unhelpful).

The future of ISO/IEC 27000 is still in question, partly due to new ISO directives that (for some unknown reason) evidently prohibit the standard containing both definitions and narrative. A proposal has been made to revert to the older mechanism whereby each ISO27k standard contains its own set of definitions, maintained by the respective editorial teams. That approach didn’t work very well before and I have no reason to think it has mysteriously improved. Another suggestion is to publish the glossary outside the ISO/IEC/ITTF system, which has the advantage of speeding-up the process: ISO appears to be suggesting online glossaries, perhaps based on the ISO Online Browsing Platform (OBP) and/or the IEC’s equivalent International Electrotechnical Vocabulary (IEV, a.k.a. Electropedia).